All Products
Search
Document Center

PolarDB:Manage encryption rules

Last Updated:Jan 31, 2024

You can create, modify, delete, enable, and disable encryption rules in the PolarDB console. This topic describes how to manage encryption rules.

Prerequisites

The PolarProxy version in PolarDB is 2.8.18 or later. For information about how to view or update the version of your PolarProxy, see Minor version update.

Limitations

  • The encryption rules do not take effect on primary endpoints. You need to use the cluster endpoint or a custom cluster endpoint.

  • The PolarDB Always Encrypted feature supports only COM_QUERY commands. Other command types such as COM_STMT_PREPARE are not supported. EncJDBC only supports Text Protocol. Binary Protocol is not supported. Operations that leverage prepared statements are always completed through Text Protocol queries.

  • PolarDB Always Encrypted and dynamic masking cannot be enabled at the same time.

  • If dynamic masking rules exist, to enable PolarDB Always Encrypted, you need to delete all existing masking rules and create new rules whose type is encryption.

  • CMKs cannot be modified after they are specified. The entire cluster uses the same CMK.

  • If you bypass SecureGW and directly connect to the native MySQL kernel, the encryption feature does not take effect. We recommend that you avoid doing this. To minimize the impact of unauthorized access, we also recommend that you enable other security features like log auditing.

Create an encryption rule

  1. Log on to the PolarDB console.

  2. In the upper-left corner of the console, select the region in which the cluster that you want to manage is deployed.

  3. Find the cluster and click its ID.

  4. In the left-side navigation pane, choose Settings and Management > Security.

  5. On the page that appears, click the Dynamic Data Masking/Encryption tab.

  6. On the Dynamic Data Masking/Encryption tab, click Add in the upper-left corner.

  7. In the Create Rule dialog box, configure the parameters.

    Table 1. Configure encryption rules

    Parameter

    Required

    Description

    Basic Information

    Rule Name

    Yes

    The name of the encryption rule. The name can be up to 30 characters in length.

    Description

    No

    The description of the rule. The description can be up to 64 characters in length.

    Enable/Disable

    N/A

    Enable/Disable

    Note

    This switch is turned on by default.Enable/Disable

    Endpoint

    Yes

    The endpoint to which the current rule is applied.

    Configurations

    Database Account Name

    No

    The name of the database account to which the rule is applied. Valid values:

    • All Accounts: indicates that the rule applies to all accounts of the cluster. The text box on the right must be left empty.

    • Include: indicates that the rule applies only to specified database accounts. You need to specify at least one database account name in the text box on the right. Separate multiple accounts with commas (,).

    • Exclude: indicates that the rule applies only to database accounts that are not specified in this section. You need to specify at least one database account name in the text box on the right. Separate multiple accounts with commas (,).

    Note

    The database account names can be in the following formats:

    • account name. Example: user

    • account name@full IP address. Example: user@10.1.1.1

    • account name@IP address with wildcard characters. Example: user@10.1.1.%, user@%.1.1.1, or user@1.%.1

    • account name@IP address/subnet mask. Example: user@10.1.1.0/255.255.255.0

    Database Name

    No

    The name of the database to which the rule is applied. Valid values:

    • All Databases: indicates that the rule applies to all the databases in the cluster. The text box on the right need to be left empty.

    • Include: indicates that the rule applies only to specified databases. You need to specify at least one database name in the text box on the right. Separate multiple database names with commas (,).

    Table Name

    No

    The name of the table to which the rule is applied. Valid values:

    • All tables: indicates that the rule applies to all the tables in the cluster. The text box on the right must be left empty.

    • Include: indicates that the rule applies only to specified tables. You need to specify at least one table name in the text box on the right. Separate multiple table names with commas (,).

    Column Name

    Yes

    The names of the fields to which the rule is applied. You can specify more than one field name and separate multiple field names with commas (,).

  8. In the message that appears, click OK.

Enable or disable a rule

  1. Log on to the PolarDB console.

  2. In the upper-left corner of the console, select the region in which the cluster that you want to manage is deployed.

  3. Find the cluster and click its ID.

  4. In the left-side navigation pane, choose Settings and Management > Security.

  5. On the page that appears, click the Dynamic Data Masking/Encryption tab.

  6. Find the rule and turn the switch in the Enable/Disable column on or off.

    image.png

    Note
    • You can select multiple rules in the list and then click Enable or Disable at the bottom of the list to batch enable or disable the rules.

    • Disabled rules are not deleted. You can enable disabled rules when needed. Disable You can Enable disabled rules when needed.

  7. In the dialog box that appears, click OK.

Modify an encryption rule

  1. Log on to the PolarDB console.

  2. In the upper-left corner of the console, select the region in which the cluster that you want to manage is deployed.

  3. Find the cluster and click its ID.

  4. In the left-side navigation pane, choose Settings and Management > Security.

  5. On the page that appears, click the Dynamic Data Masking/Encryption tab.

  6. Find the target rule and click Modify in the Actions column. In the dialog box that appears, configure the parameters.

  7. Click OK.

Delete an encryption rule

  1. Log on to the PolarDB console.

  2. In the upper-left corner of the console, select the region in which the cluster that you want to manage is deployed.

  3. Find the cluster and click its ID.

  4. In the left-side navigation pane, choose Settings and Management > Security.

  5. On the page that appears, click the Dynamic Data Masking/Encryption tab.

  6. Find the target rule and click Delete in the Actions column.

  7. In the dialog box that appears, click OK.